This site should call out common 2FA implementation mistakes, like requiring a special app or device instead of using standard TOTP, not providing revokable printable recovery codes, not allowing SMS to be disabled when other 2FA methods are added, or not supporting multiple hardware keys.
This is a great opportunity to bash Spotify. For their abuse of credentials is abysmal. Not only there's no 2FA, but there's no email confirmation for password reset.
Yes, I've said it - if you leave an open Spotify running somewhere, someone can walk by and takeover your account.
I experienced this in a different way! For some reason I had duplicate user names or something tied to my old email address that I could no longer receive emails at (or wasn't receiving, on requesting a reset link). I opened a chat (I recall?) with the customer service, and after explaining, the person typed, "ok I have reset your account email address to xyz@hotmail.com" (which I provided).
What!? Without any verification or corroborating proof of me being the account holder? This is really shady.
Good idea. Unfortunately any 2FA using a phone number (SMS or phone call) is highly insecure -- see Jack Dorsey having his Twitter hijacked, or any number of people having bitcoins stolen from Coinbase. That implementation should be marked with a big red X, not a green checkmark.
If it's 2FA and not an account recovery short cut it doesn't deserve a cross mark because it's not _worse_ than nothing - nobody is finding it _easier_ to get in by hijacking your phone number as an extra step.
If your argument is that phone based 2FA is no good because it's vulnerable that'd count for TOTP as well, which is vulnerable to live phishing attacks that are now relatively widespread. In both cases they're a lot better than nothing.
I think a better description is using your phone number for 2 factor auth and account means if you steal someone's phone number (via simhacking usually) then you can do anything, because you can reset the account through the phone number, and then you can set the password, and now you control 2 factors (phone + password).
On a not-so-related note, a number of sites and messaging apps require login via phone number. This doesn't seem to have necessarily penetrated western apps, but is seemingly more prevalent in Asian/African countries.
Does this mean those applications are ipso facto vulnerable, via a similar attack vector?
If the phone number is acting as the identity (like email for a lot of sites today) then no, that's not vulnerable to anything, though over the longer term it can cause confusion as "your" phone number turns out to have previously belonged to somebody else who isn't using the phone number any more but does use lots of accounts with that number...
True, but as long as the user does realize this, and they still keep using the very same high quality password, it is better than that very password without 2FA over SMS.
This is a useful site for me. Though not (only) because of the intended usage, but because of having a list of websites and services by topic curated by the developer community (who else adds a website by pull request?)
Their policy is to reject otherwise-fine PRs if the site in question is not in the Alexa top 200K, so no this is not a good resource for either the stated purpose or for your stated purpose.
Google is rumored to support TOTP, only I have to first provide my phone number to find out. Which means their ‘2fa support’ is useless to me and looks more like those ‘put in your phone number to download the pdf’ websites.
I'd be more enthusiastic about this if it were about more than just 2FA. That's not the end-all-be-all of website security, and there's sites here which get the "green checkmark" of approval but I'm suspicious of for other reasons. Security is complex, and I wouldn't want my website to be shamed for not having someone's one pet feature. Especially if some other site got a thumbs-up for a flawed implementation.
A site like this would be great if it included columns for other security features so I can see whether they take security seriously overall.
Didn't this page used to say whether or not a site supported U2F specifically or was that some other very similar looking page?
Its unfortunate that they don't have this information. I would switch services to a site that specifically supports U2F/FIDO/FIDO2 but not to a site that uses a random proprietary hardware token that is still vulnerable to phishing.
I'm trying to say that all hardware tokens are not created equally. A hardware RSA TOTP-esque fob offers no phishing protection where as a FIDO key does. Its unfortunate this site doesn't distinguish between those two cases.
